Methods, Systems, and Computer Readable Media for Delegated Authorization at Security Edge Protection Proxy (sepp)

1. A method for delegated authorization at a security edge protection proxy (SEPP), the method comprising: at a SEPP including at least one processor and a memory: intercepting, by the SEPP and from a first consumer network function (NF) separate from the SEPP and that does not support access-token-based authorization, a first service based interface (SBI) service request lacking an access token and for accessing a service provided by a first 5G producer NF that requires access-token-based authorization; operating, by the SEPP, as an access token authorization client proxy to obtain a first access token on behalf of the first consumer NF, wherein operating as the access token authorization client proxy includes signaling, by the SEPP and with an NF repository function (NRF) that operates as an access token authorization server, to obtain the first access token from the NRF, wherein the NRF is a 5G NRF separate from the SEPP that stores NF profiles of producer NFs registered with the NRF and signaling with the NRF to obtain the first access token includes: generating, by the SEPP, an access token request on behalf of the first consumer NF; transmitting the access token request from the SEPP to the 5G NRF that is separate from the SEPP; and receiving, by the SEPP and from the 5G NRF that is separate from the SEPP and upon successful validation of the access token request by the 5G NRF, an access token response including the first access token; and using the first access token to enable the first consumer NF to access the service provided by the first producer NF, wherein using the first access token to access the service provided by the first producer NF includes inserting, the first access token in the first SBI request and forwarding, by the SEPP, the first SBI request to the first producer NF.

2. The method of claim 1 wherein generating the access token request includes extracting values for at least some attributes to be included in the access token request from a user agent header of the first SBI service request.

3. The method of claim 2 wherein extracting values for at least some of the attributes includes extracting an NF instance ID of the first consumer NF from the user agent header of the first SBI service request.

4. The method of claim 1 wherein using the first access token to enable the first consumer NF to access the service provided by the first producer NF includes: receiving, by the SEPP, an SBI service response from the first producer NF; and forwarding, by the SEPP, the SBI service response to the first consumer NF.

5. The method of claim 1 comprising: receiving, by the SEPP and from a second consumer NF separate from the SEPP, an access token request; operating, by the SEPP, as an access token authorization server proxy on behalf of an NRF that does not support access token authorization in response to the access token request from the second consumer NF; and signaling, by the SEPP and with the second consumer NF and a second producer NF to enable the second consumer NF to access a service provided by the second producer NF.

6. The method of claim 5 wherein operating as an access token authorization server proxy comprises: generating, by the SEPP and in response to the access token request, a second access token; and transmitting, by the SEPP and to the second consumer NF, an access token response including the second access token.

7. The method of claim 6 wherein signaling, by the SEPP and with the second producer NF to enable the second consumer NF to access the service provided by the second producer NF includes: receiving, by the SEPP and from the second consumer NF, a second SBI service request including the second access token; removing, by the SEPP, the second access token from the second SBI service request; forwarding, by the SEPP, the second SBI service request to the second producer NF; receiving, by the SEPP, an SBI service response from the second producer NF; and forwarding, by the SEPP, the SBI service response to the second consumer NF.

8. The method of claim 6 wherein generating the second access token includes generating an OAuth 2.0 access token comprising a dummy access token with syntactically correct claims.

9. A system for delegated authorization at a security edge protection proxy (SEPP), the system comprising: a SEPP including at least one processor and a memory; and an access token authorization client proxy implemented by the at least one processor for intercepting, from a first consumer network function (NF) separate from the SEPP and that does not support access-token-based authorization, a first service based interface (SBI) service request lacking an access token and for accessing a service provided by a first producer NF that requires access-token-based authorization, obtaining the first access token on behalf of the first consumer NF, and using the first access token to enable the first consumer NF to access the service provided by the first producer NF, wherein obtaining the first access token on behalf of the first consumer NF includes signaling with an NF repository function (NRF) that operates as an access token authorization server, to obtain the first access token from the NRF, wherein the NRF is a 5G NRF separate from the SEPP that stores NF profiles of producer NFs registered with the NRF and signaling with the NRF to obtain the first access token includes: forwarding request to additional separate NRF, If required, for validation; generating an access token request on behalf of the first consumer NF; transmitting the access token request to the NRF; and receiving, from the NRF, an access token response including the first access token and the access token authorization client proxy is further configured for using the first access token to access the service provided by the first producer NF by inserting, the first access token in the first SBI request and forwarding, the first SBI request to the first producer NF.

10. The system of claim 9 wherein the access token authorization client proxy is configured to generate the access token request by extracting values for at least some attributes to be included in the access token request from a user agent header of the first SBI service request.

11. The system of claim 10 wherein the values extracted by the access token authorization client proxy include an NF instance ID of the first consumer NF from the user agent header of the first SBI service request.

12. The system of claim 9 wherein the access token authorization client proxy is configured to use the first access token to enable the first consumer NF to access the service by: receiving an SBI service response from the first producer NF; and forwarding the SBI service response to the first consumer NF.

13. The system of claim 9 comprising an access token authorization server proxy executable by the at least one processor for receiving, from a second consumer NF separate from the SEPP, an access token request; operating as an access token authorization server on behalf of an NRF that does not support access token authorization in response to the access token request from the second consumer NF; and signaling with the second consumer NF and a second producer NF to enable the second consumer NF to access a service provided by the second producer NF.

14. The system of claim 13 wherein, in operating as the access token authorization server, the access token authorization server proxy is configured to: generate, in response to the access token request, a second access token; and transmit, to the second consumer NF, an access token response including the second access token.

15. The system of claim 13 wherein the access token authorization server proxy is configured to signal with the second consumer NF and the second producer NF to enable the second consumer NF to access the service provided by the second producer NF by: receiving, from the second consumer NF, a second SBI service request including the second access token; removing the second access token from the second SBI service request; forwarding the SBI service request to the second producer NF; receiving an SBI service response from the second producer NF; and forwarding the SBI service response to the second consumer NF.

16. A non-transitory computer readable medium having stored thereon executable instructions that when executed by a processor of a computer controls the computer to perform steps comprising: intercepting, by a security edge protection proxy (SEPP) and from a consumer network function (NF) separate from the SEPP and that does not support access token based authorization, a service based interface (SBI) service request lacking an access token and for accessing a service provided by a producer NF that requires access token based authorization; operating, by the SEPP, as an access token authorization client proxy to obtain a first access token on behalf of the consumer NF, wherein operating as the access token authorization client proxy includes signaling, by the SEPP and with an NF repository function (NRF) that operates as an access token authorization server, to obtain the first access token from the NRF, wherein the NRF is a 5G NRF separate from the SEPP that stores NF profiles of producer NFs registered with the NRF and signaling with the NRF to obtain the first access token includes: forwarding request to additional separate NRF, if required, for validation; generating, by the SEPP, an access token request on behalf of the first consumer NF; transmitting the access token request from the SEPP to the NRF; and receiving, by the SEPP and from the NRF, an access token response including the first access token; and using the first access token to enable the consumer NF to access the service provided by the producer NF, wherein using the first access token to access the service provided by the first producer NF includes inserting, by the SEPP, the first access token in the first SBI request and forwarding, by the SEPP, the first SBI request to the first producer NF.